Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make payment_key derivation deterministic #3391

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Make payment_key derivation deterministic #3391

wants to merge 8 commits into from
+127 −111

Conversation

tnull
Copy link
Contributor

@tnull tnull commented Oct 31, 2024
edited
Loading

Previously, KeysManager::derive_channel_keys would derive the channel's payment_key uniquely on a per-channel basis which would disallow users losing their channel_keys_id to recover funds. As there is no necessity to have payment_key derivation depend on channel_keys_id we can allow for easier recovery of any non-HTLC encumbered funds if we make payment_key derivation deterministic.

Here we do just this but also include a larger refactor introducing a ChannelKeysDerivationParameters struct holding a versioning field to be able to express this change in the derivation scheme. To this end we ensure that legacy channels will continue to use the old derivation scheme after upgrade, while new channels will derive the payment_key
deterministicly.

To this end, we use the first byte of channel_keys_id as a versioning byte indicating the version of the used channel keys derivation scheme. Note that Previously KeysManager::generate_channel_keys_id would with
very high likelyhood never have generated a channel_keys_id with a non-null first byte, which makes this a backwards-compatible change for any users that didn't run custom implementations of
SignerProvider::generate_channel_keys_id conflicting with this assumption.

Apart from this, we add some refactoring commits that drop unused logic (Writeable for InMemorySigner) and rename fields to align them with the BOLTs for clarity.

We previously also discussed abusing the first byte of channel_keys_id as a version byte, which wouldn't require the overhead of introducing ChannelKeysDerivationParameters and serializing the channel_keys_derivation_version field independently everywhere. However, as discussed I now chose to go with the latter approach as it seems cleaner and more future-proof.

That said, looking for an approach ACK here before continuing. Will be draft until then.

TODO:

  • Fix one remaining failing test case.
  • Add test case for (partial) recovery from seed only.
  • Include commit adding a ChannelKeyDerivationParameters argument to get_shutdown_scriptpubkey, just as for the destination case. (cc @alecchendev)

@tnull tnull marked this pull request as draft October 31, 2024 10:33
@tnull tnull force-pushed the 2024-09-deterministic-payment-point branch 10 times, most recently from b8c5f77 to 5b17762 Compare October 31, 2024 14:28
@tnull
Drop InMemorySigner Writeable impl
6dfe913 
... which we haven't been using since 0.0.119 / commit
7a951b1.
@tnull
Rename payment_key to payment_basepoint in chan_utils
75c2b0a 
.. as it doesn't use the actual signer's `payment_key`, but the
associated public key.
@tnull
Rename params to channel_keys_id and take it by value
611c1a3 
.. to make the name more clear and since before we `clone` it in
`derive_channel_keys` anyways.
@tnull
Rename keys_id to channel_keys_id
782c718 
.. to align the field everywhere.
@tnull
Rename payment_point to payment_basepoint
6756dde 
.. to align the field naming with the spec for clarity.
@tnull
Make payment_key derivation deterministic
04c2bfc 
Previously, `KeysManager::derive_channel_keys` would derive the
channel's `payment_key` uniquely on a per-channel basis which would
disallow users losing their `channel_keys_id` to recover funds. As it's
no real necessity to have `payment_key` derivation depend on
`channel_keys_id` we can allow for easier recovery of any non-HTLC
encumbered funds if we make `payment_key` derivation deterministic.

To this end, we use the first byte of `channel_keys_id` as a versioning
byte indicating the version of the used channel keys derivation scheme.
Note that Previously `KeysManager::generate_channel_keys_id` would with
very high likelyhood never have generated a `channel_keys_id` with a
non-null first byte, which makes this a backwards-compatible change for
any users that didn't run custom implementations of
`SignerProvider::generate_channel_keys_id` conflicting with this
assumption.
@tnull
f Adjust test cases to accommodate new derivation scheme
58cdbc9 
Some test cases have hard-coded values which we change here (to be
squashed in after review).
@tnull
f Use deterministic payment keys in fuzzing
a7db955
@tnull tnull force-pushed the 2024-09-deterministic-payment-point branch from 5b17762 to a7db955 Compare November 6, 2024 11:14
@tnull tnull marked this pull request as ready for review November 6, 2024 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheBlueMatt TheBlueMatt Awaiting requested review from TheBlueMatt

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tnull